• Application of the data protection and data management
regulations
• Name of the organization:
• OrgoneLife Kft.
• Headquarters of the organization:
• 2141 Csömör, Közéhegy u. 46.
• Person responsible for the content of the regulations:
• Etelka Libisch
• Date of entry into force of the regulations:
• 10.06.2019
• This regulation establishes rules for the protection of
natural persons with regard to the management of personal data and the free
flow of personal data. The provisions of the regulations must be applied during
specific data management activities, as well as when issuing instructions and
information regulating data management.
• The obligation to employ (appoint) a data protection
officer covers all public authorities or other bodies performing public tasks
(regardless of what kind of data they process), as well as other organizations
whose main activity is the systematic, large-scale monitoring of individuals,
or whose personal data is a special categories are managed in large numbers.
• The organization □ employs □ does not employ a data
protection officer
• If a data protection officer is employed:
• Name:
• Position:
• Availability:
• Scope of the regulations
• These regulations are valid until withdrawn, and their
scope extends to the organization's officials, employees and the organization's
data protection officer.
• The purpose of these regulations is to harmonize the
provisions of the organization's other internal regulations regarding data
management activities in order to protect the fundamental rights and freedoms
of natural persons, as well as to ensure the appropriate management of personal
data.
• In the course of its activities, the organization intends
to fully comply with the legal requirements for the management of personal
data, in particular with the provisions of Regulation (EU) 2016/679 of the
European Parliament and of the Council.
• Another important goal of issuing the regulations is that
by familiarizing them with and complying with them, the organization's
employees are able to manage the data of natural persons legally.
• Essential concepts and definitions
• the GDPR (General Data Protection Regulation) is the new
Data Protection Regulation of the European Union
• data controller: the natural or legal person, public
authority, agency or any other body that determines the purposes and means of
processing personal data independently or together with others; if the purposes
and means of data management are determined by EU or member state law, the data
controller or the special aspects regarding the designation of the data
controller may also be determined by EU or member state law;
• data management: any operation or set of operations
performed on personal data or data files in an automated or non-automated
manner, such as collection, recording, organization, segmentation, storage,
transformation or change, query, insight, use, communication, transmission,
distribution or otherwise by making available, coordinating or connecting,
limiting, deleting or destroying;
• data processor: the natural or legal person, public
authority, agency or any other body that processes personal data on behalf of
the data controller;
• personal data: any information relating to an identified
or identifiable natural person (data subject); a natural person can be
identified directly or indirectly, in particular on the basis of an identifier
such as name, number, location data, online identifier or one or more factors
relating to the physical, physiological, genetic, mental, economic, cultural or
social identity of the natural person identifiable;
• third party: the natural or legal person, public
authority, agency or any other body that is not the same as the data subject,
the data controller, the data processor or the persons who have been authorized
to process personal data under the direct control of the data controller or
data processor ;
• the consent of the data subject: the voluntary, specific
and clear declaration of the will of the data subject based on adequate
information, with which the data subject indicates by means of a statement or
an act clearly expressing the confirmation that he gives his consent to the
processing of his personal data;
• restriction of data management: marking stored personal
data for the purpose of limiting their future management;
• pseudonymisation: handling of personal data in a way that,
without the use of additional information, it is no longer possible to
establish which specific natural person the personal data refers to, provided
that such additional information is stored separately and is ensured by
technical and organizational measures, that this personal data cannot be linked
to identified or identifiable natural persons;
• registration system: the file of personal data in any way
- centralized, decentralized or divided according to functional or geographical
aspects - which is accessible based on specific criteria;
• data protection incident: a breach of security that
results in the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure or unauthorized access to personal data transmitted,
stored or otherwise handled;
• Guidelines for data management
• Personal data must be handled legally and fairly, as well
as in a transparent manner for the data subject.
• Personal data may only be collected for specific, clear
and legal purposes.
• The purpose of processing personal data should be
appropriate and relevant, and may only be to the extent necessary.
• Personal data must be accurate and up-to-date. Inaccurate
personal data must be deleted immediately.
• Personal data must be stored in such a way that it allows
the identification of the data subjects only for the necessary time. Personal
data may be stored for a longer period of time only if the storage is for the
purpose of archiving in the public interest, for scientific and historical
research purposes, or for statistical purposes.
• The processing of personal data must be carried out in
such a way that adequate security of personal data is ensured by applying
appropriate technical or organizational measures, including protection against
unauthorized or illegal processing, accidental loss, destruction or damage of
data.
• The principles of data protection must be applied to all
information relating to identified or identifiable natural persons.
• The organization's data processing employee is liable for
disciplinary, compensation, violation and criminal liability for the lawful
handling of personal data. If the employee learns that the personal data he is
managing is incorrect, incomplete, or out of date, he must correct it or
initiate its correction with the employee responsible for recording the data.
• Management of personal data
• Since natural persons can be associated with online
identifiers provided by the devices, applications, devices and protocols they
use, such as IP addresses and cookie identifiers, this data, combined with
other information, is suitable and can be used to create a profile of natural
persons and to identify a person.
• Data processing may only take place if the person
concerned gives his voluntary, specific, informed and clear consent to the
processing of data by means of a clear affirmative action, for example a
written - including electronic - or oral statement.
• Consent to data management is also considered if the
person concerned ticks a relevant box while viewing the website. Silence, a
pre-ticked box or inaction does not constitute consent.
• Consent is also considered if a user makes relevant
technical settings during the use of electronic services, or makes a statement
or action that clearly indicates the consent of the person concerned to the
processing of his personal data in the given context.
• Health personal data includes data relating to the data
subject's state of health, which carries information about the data subject's
past, present or future physical or mental state of health. These include the
following:
• registration for the purpose of health services;
• a number, symbol or data assigned to a natural person for
the purpose of individual identification for health purposes;
• information resulting from the testing or examination of a
body part or body material, including genetic data and biological samples;
• information about the subject's illness, disability,
disease risk, medical history, clinical treatment or physiological or
biomedical condition, regardless of its source, which may be, for example, a
doctor or other health care professional, a hospital, a medical device or a
diagnostic test.
• Genetic data shall be defined as personal data related to
the inherited or acquired genetic characteristics of a natural person, and
which is necessary for the analysis of a biological sample taken from the
person concerned - in particular chromosome analysis, or the examination of
deoxyribonucleic acid (DNA) or ribonucleic acid (RNA), or of these - the result
of the examination of any other element enabling the extraction of information
identical to obtainable information.
• The personal data of children deserve special protection,
as they may be less aware of the risks and consequences associated with the
management of personal data and the related guarantees and rights. This special
protection applies mainly to the use of children's personal data for marketing
purposes and for the purpose of creating personal or user profiles.
• Personal data must be managed in a way that ensures an
appropriate level of security and confidentiality, including in order to
prevent unauthorized access to personal data and the tools used to manage
personal data, as well as their unauthorized use.
• Take all reasonable steps to correct or delete inaccurate
personal data.
• Lawfulness of data management
• The processing of personal data is legal if one of the
following is fulfilled:
• the data subject has given his consent to the processing
of his personal data for one or more specific purposes;
• data management is necessary to fulfill a contract in
which the data subject is one of the parties, or it is necessary to take steps
at the request of the data subject prior to the conclusion of the contract; •
data management is necessary to fulfill the legal obligation of the data
controller;
• data processing is necessary to protect the vital
interests of the data subject or another natural person;
• data management is in the public interest or is necessary
for the execution of a task performed in the context of the exercise of public
authority granted to the data controller;
• data processing is necessary to enforce the legitimate
interests of the data controller or a third party, unless these interests are
overridden by the interests or fundamental rights and freedoms of the data
subject that require the protection of personal data, especially if the data
subject is a child.
• Pursuant to the above, data processing is considered
lawful if it is necessary in the context of a contract or intention to enter
into a contract.
• If the data processing takes place in the context of the
fulfillment of a legal obligation for the data controller, or if it is
necessary for the execution of a task in the public interest or for the
exercise of a public authority, the data processing must have a legal basis in
EU law or the law of a member state.
• Data processing must be considered lawful when it is done
to protect the life of the data subject or the interests of another natural
person mentioned above. With reference to the vital interests of another
natural person, personal data processing may in principle only take place if
the data processing in question cannot be carried out on any other legal basis.
• Some types of personal data processing may serve important
public interests and the vital interests of the data subject at the same time,
for example in cases where data processing is required for humanitarian
reasons, including when it is necessary to monitor epidemics and their spread,
or in a humanitarian emergency, especially in the case of natural or man-made
disasters is needed.
• The data manager - including the data manager to whom the
personal data may be disclosed - or the legitimate interest of a third party
may create a legal basis for data management. Such a legitimate interest can be
discussed, for example, when there is a relevant and appropriate relationship
between the data subject and the data controller, for example in cases where
the data subject is a client of the data controller or is employed by it.
• The absolutely necessary processing of personal data for
the purpose of fraud prevention is also considered a legitimate interest of the
data controller concerned. The processing of personal data for direct business
purposes is also considered to be based on a legitimate interest.
• In order to establish the existence of a legitimate
interest, it is necessary to carefully examine, among other things, whether the
person concerned can reasonably expect, at the time and in connection with the
collection of the personal data, that data processing may take place for the
given purpose. The interests and fundamental rights of the data subject may
take precedence over the interests of the data controller if the personal data
are processed under circumstances in which the data subjects do not expect
further data processing.
• Personal data processing carried out by public
authorities, computer emergency response units, network security incident
management units, electronic communication network operators and service
providers, and security technology service providers to the extent that is
absolutely necessary and proportionate to guarantee network and IT security is
considered the legitimate interest of the data controller concerned.
• The processing of personal data for purposes other than
the original purpose of their collection is only permitted if the data
processing is compatible with the original purposes of the data processing for
which the personal data were originally collected. In this case, there is no
need for a separate legal basis other than the one that enabled the collection
of personal data.
• The handling of personal data by the authorities in order
to achieve the goals of officially recognized religious organizations
established in constitutional law or international public law is considered to
be based on public interest.
• The consent of the person concerned, conditions
• If the data management is based on consent, the data
controller must be able to prove that the data subject has consented to the
processing of his personal data.
• If the data subject gives his consent in the context of a
written statement that also applies to other matters, the request for consent
must be communicated in a way that is clearly distinguishable from these other
matters.
• The data subject has the right to withdraw his consent at
any time. Withdrawal of consent does not affect the legality of data processing
based on consent prior to withdrawal. Before giving consent, the data subject
must be informed of this. It should be possible to withdraw consent in the same
way as to give it.
• When determining whether the consent is voluntary, the
fact must be taken into account to the greatest extent possible, among other
things, whether consent to the processing of personal data that is conditional
on the performance of the contract - including the provision of services they
are not necessary for the performance of the contract.
• The processing of personal data in relation to information
society-related services offered directly to children is legal if the child has
reached the age of 16. In the case of a child under the age of 16, the handling
of the children's personal data is only legal if and to the extent that the
consent was given or authorized by the person exercising parental supervision
over the child.
• The processing of personal data referring to racial or
ethnic origin, political opinion, religious or worldview beliefs or trade union
membership, as well as genetic and biometric data aimed at the unique
identification of natural persons, health data and personal data relating to
the sexual life or sexual orientation of natural persons is prohibited. ,
unless the data subject has given his express consent to the processing of said
personal data for one or more specific purposes.
• Decisions regarding the determination of criminal
liability and personal data relating to crimes and related security measures
may only be processed if it is handled by a public authority.
• Data management that does not require identification
• If the purposes for which the data controller processes
personal data do not or no longer require the identification of the data
subject by the data controller, the data controller is not obliged to keep
additional information.
• If the data controller can prove that he is not in a
position to identify the data subject, he will be informed accordingly if
possible.
• Information and rights of the person concerned
• The principle of fair and transparent data management
requires that the data subject be informed about the facts and purposes of data
management.
• If the personal data is collected from the data subject,
the data subject must also be informed whether he is obliged to disclose the
personal data, as well as the consequences of not providing the data. This
information can also be supplemented with standardized icons in order for the
data subject to receive general information about the planned data management
in a clearly visible, easily understandable and legible form.
• Information related to the handling of personal data
concerning the data subject must be provided to the data subject at the time of
data collection, or if the data was not collected from the data subject but
from another source, it must be made available within a reasonable time frame,
taking into account the circumstances of the case.
• The data subject has the right to access the data
collected about him and to exercise this right simply and at reasonable
intervals in order to establish and check the legality of the data management.
All data subjects must have the right to know, in particular, the purposes for
which personal data are processed and, if possible, the period of time for
which personal data is processed,
• In particular, the data subject is entitled to have their
personal data deleted and no longer processed if the collection or processing
of personal data in another way is no longer necessary in connection with the
original purposes of the data management, or if the data subjects have
withdrawn their consent to the processing of the data.
• If the processing of personal data takes place for the
purpose of obtaining direct business, the data subject must be guaranteed the
right to object to the processing of his personal data for this purpose at any
time free of charge.
• Review of personal data
• In order to ensure that the storage of personal data is
limited to the necessary period, the data controller establishes deletion or
regular review deadlines.
• Regular review deadline established by the head of the
organization: 1 year.
• Duties of the data controller
• The data controller applies appropriate internal data
protection rules for the sake of legal data management. This regulation covers
the powers and responsibilities of the data controller.
• It is the duty of the data controller to implement
appropriate and effective measures, as well as to be able to prove that the
data management activities comply with the applicable legislation.
• This regulation must be made taking into account the
nature, scope, circumstances and purposes of data processing, as well as the
risk affecting the rights and freedoms of natural persons.
• The data manager implements appropriate technical and
organizational measures, taking into account the nature, scope, circumstances
and purposes of data management, as well as the varying probability and
severity of the risk to the rights and freedoms of natural persons. On the
basis of this regulation, other internal regulations are reviewed and, if
necessary, updated.
• The data manager or the data processor keeps appropriate
records of the data management activities carried out on the basis of its
authority. All data managers and data processors are obliged to cooperate with
the supervisory authority and make these records available upon request in
order to control the relevant data management operations.
• Rights related to data management
• The right to request information
• Any person can request information via the provided
contact information about what data the organization processes, on what legal
basis, for what data management purpose, from what source, and for how long.
Upon your request, information must be sent to the provided contact information
immediately, but within 30 days at the latest.
• Right to rectification
• Any person can request the modification of any of their
data via the provided contact information. Upon your request, action must be
taken immediately, but within 30 days at most, and information must be sent to
the contact address provided.
• The right to erasure
• Any person can request the deletion of their data via the
provided contact information. Upon request, this must be done immediately, but
within 30 days at most, and information must be sent to the contact address
provided.
• The right to block and restrict
• Any person can request the blocking of their data via the
provided contact information. The blocking lasts as long as the specified
reason makes it necessary to store the data. Upon request, this must be done
immediately, but within 30 days at most, and information must be sent to the
contact address provided.
• The right to protest
• Any person can object to data management via the contact
details provided. The objection must be examined as soon as possible, but no
later than 15 days after the submission of the application, a decision must be
made regarding its validity and information about the decision must be sent to
the contact address provided.
• Possibility of legal enforcement related to data
management
• National Data Protection and Freedom of Information
Authority
• Postal address: 1530 Budapest, Pf.: 5.
• Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
• Phone: +36 (1) 391-1400
• Fax: +36 (1) 391-1410
• E-mail: same service (at) naih.hu
• URL https://naih.hu
• coordinates: N 47°30'56''; N 18°59'57''
• In the event of a violation of the data subject's rights,
the data recipient may apply to the court against the data controller. The
court acts out of sequence in the case. The lawsuit may be initiated by the
person concerned - at his or her choice - before the competent court based on
his or her place of residence.
• The tasks of the organization for adequate data protection
• Data protection awareness. Professional preparation must
be ensured to comply with the legislation. It is essential to prepare the staff
professionally and familiarize them with the regulations.
• The purpose and criteria of data management, the concept
of personal data management must be reviewed. Legal data management and data
processing must be ensured in accordance with the data protection and data
management regulations.
• Adequate information to the person involved in data
management. It should be noted that - if the data processing is based on the
data subject's consent - in case of doubt, the data controller must prove that
the data processing has been consented to by the data subject.
• The information provided to the person concerned should be
concise, easily accessible and easy to understand, therefore it should be
formulated and displayed in clear and understandable language.
• The requirement of transparent data management is that the
person concerned receives information about the facts and purposes of data
management. The information must be provided before the start of the data
management and the right to information belongs to the data subject until its
termination during the data management.
• The main rights of the person involved in data management
are the following:
• access to personal data relating to him;
• correction of personal data;
• deletion of personal data;
• limiting the processing of personal data;
• protest against profiling and automated data processing;
• the right to data portability.
• The data controller informs the data subject without undue
delay, but at the latest within one month of receipt of the request. If
necessary, taking into account the complexity of the application and the number
of applications, this deadline can be extended by another two months. The
obligation to provide information can be ensured by operating a secure online
system through which the data subject can easily and quickly access the
necessary information.
• The data management carried out by the organization must
be reviewed, and the enforcement of the right to informational
self-determination must be ensured. At the request of the person concerned,
his/her data must be deleted without delay if the person concerned withdraws
the consent that is the basis for data management.
• It must be clear from the consent of the person concerned
that the person concerned consents to data management. If data management is
based on the data subject's consent, in case of doubt, the data controller must
prove that the data subject consented to the data management operation.
• In the case of personal data management of children,
special attention must be paid to compliance with data management rules. The
processing of personal data in relation to information society-related services
offered directly to children is legal if the child has reached the age of 16.
In the case of a child under the age of 16, the handling of the children's
personal data is only legal if and to the extent that the consent was given or
authorized by the person exercising parental supervision over the child.
• In case of illegal handling or processing of personal
data, there is an obligation to report to the supervisory authority. The data
controller must report the data protection incident to the supervisory
authority without undue delay - if possible, no later than 72 hours after
becoming aware of the data protection incident, unless the data protection
incident is likely to pose no risk to the rights of the natural person.
• In certain cases, it may be justified for the data
controller to conduct a data protection impact assessment prior to data
management. During the impact assessment, it is necessary to examine how the
planned data management operations affect the protection of personal data. If
the data protection impact assessment determines that data management is likely
to involve a high risk, the data controller must consult with the supervisory
authority before processing personal data.
• In the event that the main activities include data
management operations that, due to their nature, scope or goals, require
regular and systematic, large-scale monitoring of the data subjects, a data
protection officer must be appointed. The appointment of a data protection
officer aims to strengthen data security.
• Data security
• The data must be protected by appropriate measures, in
particular against unauthorized access, alteration, transmission, disclosure,
deletion or destruction, as well as against accidental destruction and damage,
as well as against becoming inaccessible due to changes in the technology used.
• In order to protect the data files managed electronically
in the registers, an appropriate technical solution must be used to ensure that
the data stored in the registers cannot be directly linked and assigned to the
person concerned.
• When planning and applying data security, the current
state of technology must be taken into account. Among several possible data
management solutions, the one that ensures a higher level of protection of
personal data must be chosen, unless it would represent a disproportionate
difficulty for the data controller.
• Data Protection Officer
• The appointment of a data protection officer is mandatory
based on the following criteria:
• data management is carried out by public authorities or
other bodies performing public tasks, with the exception of courts acting in
the scope of their judicial duties;
• the main activities of the data manager or data processor
include data management operations that, due to their nature, scope or goals,
require regular and systematic, large-scale monitoring of the data subjects;
• the main activities of the data manager or the data
processor relate to the processing of a large number of personal data related
to decisions regarding the determination of criminal liability and criminal
offenses.
• If the appointment of a data protection officer is
mandatory, the following rules apply:
• The data protection officer must be appointed on the basis
of professional competence and, in particular, expert-level knowledge of data
protection law and practice, as well as suitability for data management.
• The data protection officer can be an employee of the data
controller or the data processor, but can also perform his duties within the
framework of a service contract.
• The data manager or data processor must publish the name
and contact information of the data protection officer, and they must also be
communicated to the supervisory authority.
• Legal status of the data protection officer
• The data controller must ensure that the data protection
officer is involved in all matters related to the protection of personal data
in an appropriate and timely manner. It must be ensured that the resources
necessary to maintain the expert level knowledge of the data protection officer
are available.
• The data protection officer may not accept instructions
from anyone regarding the performance of his duties. The data controller or the
data processor may not dismiss or impose sanctions on the data protection
officer in connection with the performance of his duties. The data protection
officer is directly responsible to the top management of the data controller or
data processor.
• Those concerned may contact the data protection officer in
all matters related to the management of their personal data and the exercise
of their rights.
• The data protection officer is bound by an obligation of
confidentiality or an obligation to treat data confidentially in connection
with the performance of his duties.
• The data protection officer may also perform other tasks,
but there should be no conflicts of interest in relation to the tasks.
• Duties of the data protection officer
• Provides information and professional advice to the data
manager or data processor, as well as to the employees performing data
management;
• checks compliance with the data manager's or data
processor's internal rules regarding the protection of personal data;
• upon request, provides professional advice regarding the
data protection impact assessment, as well as monitors the completion of the
impact assessment;
• cooperates with the supervisory authority.
• Data protection incident
• A data protection incident is a breach of security that
results in the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure or unauthorized access to personal data transmitted,
stored or otherwise handled.
• In the absence of appropriate and timely measures, a data
protection incident can cause physical, financial or non-financial damage to
natural persons, including loss of control over their personal data or
restriction of their rights, discrimination, identity theft or identity abuse.
• The data protection incident must be reported to the
competent supervisory authority without undue delay, no later than 72 hours,
unless it can be proven in accordance with the principle of accountability that
the data protection incident is unlikely to pose a risk to the rights and
freedoms of natural persons.
• The affected person must be informed without delay if the
data protection incident likely involves a high risk to the rights and freedom
of the natural person, so that he can take the necessary precautions.
• Data management for administrative and record purposes
• The organization may also process personal data in cases
related to its activities and for administrative and record-keeping purposes.
• Data management is based on the voluntary and definite
consent of the person concerned based on adequate information. After the
detailed information - which covers the purpose, legal basis and duration of
the data processing as well as the rights of the affected person - the affected
person must be warned about the voluntary nature of the data processing.
Consent to data management must be recorded in writing.
• Data management for administrative and record-keeping
purposes serves the following purposes:
• data management of the organization's members and
employees, which is based on a legal obligation;
• data management of persons in a contractual relationship
with the organization for contact, settlement and record-keeping purposes;
• contact details of other organizations, institutions and
businesses with a business relationship with the organization, which may also
include contact and identification data of natural persons;
• Data processing according to the above is based on the one
hand on a legal obligation, and on the other hand, the data subject has
expressly consented to the processing of his data (e.g. for the purpose of an
employment contract or registered as a partner on a website, etc.)
• In the case of documents sent to the organization in
written form - including personal data - (e.g. resume, job search application,
other submissions, etc.), the consent of the person concerned must be assumed.
After the case is closed - in the absence of consent for further use - the
documents must be destroyed. The fact of destruction must be recorded in a
protocol.
• In the case of data management for administrative
purposes, personal data are only included in the documents and records of the
given case. The processing of these data lasts until the document on which the
processing is based is disposed of.
• Data management for administration and registration
purposes - in order to ensure that the storage of personal data is limited to
the necessary period - must be reviewed annually, and inaccurate personal data
must be deleted immediately.
• Compliance with legislation must also be ensured in the
case of data management for administrative and record-keeping purposes.
• Data management for other purposes
• If the organization wishes to carry out data management
that is not included in this regulation, its internal regulations must be
properly supplemented in advance, and sub-rules corresponding to the new data
management purpose must be attached.
• Other documents belonging to the regulations
• Documents and regulations that contain, for example, a
written statement of consent to data management or, for example, describe the
mandatory data management information in the case of websites, must be linked
to the data protection and data management policy and managed together with it.
• Legislation on which data management is based
• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF
THE COUNCIL (April 27, 2016) on the protection of natural persons with regard
to the processing of personal data and on the free flow of such data, and on
the repeal of Regulation 95/46/EC ( general data protection regulation).
• CXII of 2011. Act on the right to self-determination of
information and freedom of information.
• LXVI of 1995 on the protection of public documents, public
archives and private archive material. law.
• 335/2005 on the general requirements for document
management of bodies performing public duties. (XII. 29.) Government decree.
• CVIII of 2001 Act on certain issues of electronic
commercial services and services related to the information society.
